#!/usr/bin/env bash

# Copyright 2023 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

source /shell_lib.sh

function __config__(){
  cat <<EOF
configVersion: v1
kubernetes:
  - name: operator_trivy_module_config
    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    queue: operator_trivy_module_config
    group: main
    executeHookOnEvent: []
    executeHookOnSynchronization: false
    keepFullObjectsInMemory: false
    nameSelector:
      matchNames:
      - operator-trivy
    jqFilter: |
      {
        "enabled": .spec.enabled,
      }
kubernetesValidating:
- name: ape-moduleconfig.deckhouse.io
  group: main
  rules:
  - apiGroups:   ["deckhouse.io"]
    apiVersions: ["*"]
    operations:  ["CREATE", "UPDATE"]
    resources:   ["moduleconfigs"]
    scope:       "Cluster"
EOF
}

function __main__() {
  mcName=$(context::jq -r '.review.request.object.metadata.name')
  if [[ "$mcName" == "admission-policy-engine" ]]; then
    denyVulnerableImagesEnabled="$(context::jq -r '.review.request.object.spec.settings.denyVulnerableImages.enabled')"
    operatorTrivyEnabled="$(context::jq -r '.snapshots.operator_trivy_module_config[].filterResult.enabled')"
    if [[ "$denyVulnerableImagesEnabled" == "true" ]] && [[ "$operatorTrivyEnabled" != "true" ]]; then
      cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":false, "message":"moduleconfigs.deckhouse.io \"$mcName\", .spec.settings.denyVulnerableImages can't be enabled when operator-trivy module is disabled" }
EOF
      return 0
    fi
  fi

  cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":true}
EOF

}

hook::run "$@"
